Mobile biometrics - assessing the technologies

Finding mobile authentication solutions that balance security, cost and user needs is a growing challenge for today’s businesses. Long, complex passwords are difficult to remember and almost impossible to use on mobile devices. Smartcards and one-time password (OTP) tokens are expensive to purchase and frequently lost or forgotten. But there is a simple solution … biometrics.

Biometrics uses human characteristics to authenticate and protect systems. However, cost, usability and performance have inhibited widespread use. Now, high-quality, low-cost sensors have entered the market, putting biometrics in the hands of consumers for the first time. But availability doesn’t necessarily translate to viability.

Biometric sensors

There are three types of biometric sensors available for mobile devices: add-on sensors, embedded biometric sensors and embedded native sensors.

Add-on sensors are hardware peripherals that incorporate biometrics to create authentication solutions for mobile devices. There are generally two kinds of add-on sensor: the sleeve, which fits around the device; and plug-ins, which attach using a cable. While these are usually high quality and suited to most enterprises, there are a number of downsides.

For starters, the sleeve varieties are often specific to a particular device and may not be usable for every device in the enterprise. They will also need to be replaced or upgraded as users change phone models. And while the plug-in sensors are more independent of the device itself, they are less acceptable to users, and can have a greater adverse impact on user experience.

Perhaps the greatest downside to add-on sensors is that, like OTP tokens, they are often forgotten, lost or broken, and are expensive to replace.

Increasingly, mobile manufacturers are adding special-purpose, embedded biometric sensors to their devices. The most high-profile of these is the Touch ID fingerprint sensor in the Apple iPhone 5s and the built-in fingerprint sensor in the Samsung Galaxy S5. Other vendors are climbing on board, installing fingerprint sensors and very high definition cameras that can capture iris images, putting biometric capabilities into the hands of ordinary customers.

While all this increases the likelihood of users accepting them in the enterprise, there are a couple of drawbacks. Embedded sensors are specific to particular manufacturers and models of devices, placing constraints on enterprises with BYOD policies in place. Their value is also affected by the relatively short lifetime of consumer devices. There is also the very real concern of the effectiveness and efficacy of the sensors being compromised. For example, the size of a fingerprint sensor may be reduced to fit the available real estate on a mobile device. This means less of the fingerprint is available during each capture, which can affect the accuracy and usability of the authentication solution.

Current devices have a range of capabilities that can be exploited to collect biometric data. Embedded native sensors such as microphones, cameras, touchscreens, gyroscopes and accelerometers can capture a variety of data, which can be used for biometric authentication. The biggest advantage of embedded native sensors is that they are available on almost all current mobile devices. Such broad availability increases the suitability for enterprise applications.

However, embedded native sensors are not without potential problems. Smartphone cameras have small sensors, fixed focal lengths and apertures, and wide fields of view - perfect for an arm’s length selfie but not necessarily for capturing a high-definition iris scan. Similarly, microphones differ from those used in landlines, and often include noise-cancelling technologies that could modify voice characteristics used in voice biometrics. Also, due to the limited availability of APIs, there may also be constraints on how biometric solutions integrate with native sensors to control and configure hardware.

Biometric modes

There are three main categories of biometric modes implemented in mobile solutions: traditional biological, new biological and behavioural.

Law enforcement, border security and civil identity agencies have been using traditional biological modes for years. These applications primarily use fingerprint, DNA, facial recognition and iris biometrics, and are based on significant, long-standing scientific research and large-scale testing.

There has also been significant deployment of voice biometrics that leverage existing call centre and interactive voice response (IVR) implementations within the finance, insurance, healthcare and social service industries. Some of these tried-and-tested modes translate well into the mobile device arena, particularly voice biometrics, though developers have had to adapt algorithms to handle the different acoustics of the mobile channel. The increasing resolution of cameras on mobile devices makes them ideal as face biometric sensors.

Developers are also coming up with a number of novel, new biological modes that take advantage of mobile features while also creating good user experiences. Most of these incorporate existing cameras. However, new modes lack the depth of scientific investigation and real-world testing of more traditional modes, making it difficult for potential customers to judge the suitability of these modes for enterprise applications. Furthermore, variability in the quality and characteristics of mobile device cameras means not all devices will capture biometric characteristics with the same level of precision.

New modes with some relationship to or basis in traditional modes are a safer option. For example, eye-vein-pattern biometric solutions use the camera to capture images of the eye and identify patterns in the visible veins. Vein patterns are a well-known biometric mode, with hand and palm vein patterns implemented for applications including physical access control systems (PACS) and ATM authentication.

Other new biological modes include periocular (using the shape of the eye sockets), whole face geometry and palm patterns. In short, if new biological modes relate to well-known, traditional methods, there is a much higher likelihood it will be accepted by users.

Behavioural biometric modes are based on measuring behavioural characteristics to uniquely identify an individual. In the context of mobile biometrics, gyroscopes and accelerometers can measure a number of behaviours and unique patterns of usage. Behavioural biometric modes are often combined with traditional authentication modes, such as a known secret. For example, measuring the way a person interacts with the touchscreen when entering a password can add assurance that the correct person is being granted access and not just a different person who knows the password.

However, there hasn’t been significant scientific study into the distinctiveness and stability of behavioural biometrics. This lack of information can make it difficult for potential customers to judge the security, accuracy and suitability for enterprise applications.

With positives and negatives surrounding each of the sensors and modes, it is up to the individual enterprise to decide which solution best works for them, or if they are even ready to consider mobile biometrics at all.

*Anne Robins is a Research Director on the Gartner for Technical Professionals (GTP) team, as well as a member of the Identity and Privacy Strategies team. With more than 20 years’ experience, Anne is a respected expert in the fields of security compliance, security architecture and biometrics.

Image credit: ©iStockphoto.com/JLGutierrez